b'  DEPARTMENT OF HOMELAND SECURITY\n\n    Office of Inspector General\n\n\n\n         Management Letter for FEMA\xe2\x80\x99s\n    Fiscal Year 2002 Financial Statement Audit\n\n\n\n\n         Office of Audits\nOIG-04-03           December 2003\n\x0c\x0c                                          Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, investigative, and special reports\nprepared by the OIG periodically as part of its oversight responsibility with respect to DHS to\nidentify and prevent fraud, waste, abuse, and mismanagement.\n\nThis report is the result of an assessment of the strengths and weaknesses of the program,\noperation, or function under review. The independent public accounting firm KPMG LLP\nperformed the audit. It is based on interviews with employees and officials of relevant agencies\nand institutions, direct observations, and a review of applicable documents.\n\nThe recommendations herein, if any, have been developed on the basis of the best knowledge\navailable to KPMG and the OIG, and have been discussed in draft with those responsible\nfor implementation. It is my hope that this report will result in more effective, efficient, and/\nor economical operations. I express my appreciation to all of those who contributed to the\npreparation of this report.\n\n\n\n\nClark Kent Ervin\nActing Inspector General\n\x0c\x0c                                                                                                                           Contents\n\nPreface\n\nTable of Contents .................................................................................................... i\n\nExecutive Summary................................................................................................1\n\nAppendix A: FY02 Comments and Recommendations..........................................3\n\nAppendix B: Summary status of comments reported in the FY 2001\n     Management Letter .....................................................................................11\n\nAppendix C: Analysis of Management Comments...............................................15\n\nAppendix D: Management Comments-FAMD.....................................................17\n\nAppendix E: Management Comments-ITSD........................................................18\n\nAppendix F: Management Comments-OGFC ......................................................19\n\nAppendix G: Management Comments-Region II.................................................23\n\nAppendix H: Management Comments-Region IX ...............................................26\n\nAppendix I: OIG contributors to this report .........................................................29\n\nAppendix J: Report Distribution...........................................................................30\n\n\n\n\n      Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit                                                   Page i\n\x0cPage ii   Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0cManagement Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit   Page 1\n\x0cPage 2   Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                        APPENDIX A: FY 2002 COMMENTS AND RECOMMENDATIONS\n\n\n\n1.    Human Resources Division (HRD)\n        Based on our review of 32 items related to the Federal Employees\xe2\x80\x99 Group Life Insurance (FEGLI)\n        Program, we noted three instances in which the life insurance cost deducted from the employee\xe2\x80\x99s\n        paycheck was not supported by a SF-2817, Life Insurance Election. All eligible employees are covered\n        unless they decline coverage in writing by completing the SF-2817. The SF-2817 also documents the\n        amount of coverage chosen. In two of the instances, the SF-2817 showed that the employee had elected\n        coverage for which the cost did not match the cost deduction from the employee\xe2\x80\x99s paycheck. In the third\n        instance, no SF-2817 existed in the employee\xe2\x80\x99s personnel file; therefore, the life insurance cost deducted\n        from the employee\xe2\x80\x99s paycheck could not be verified. FEMA was unable to provide current SF-2817\n        forms or other supporting documentation to support the life insurance costs deducted from these three\n        employee paychecks.\n\n        As a result of this issue, the employees\xe2\x80\x99 withholdings, federal government contributions to the program,\n        and payment of program benefits could be incorrect.\n\n        The Office of Personnel Management (OPM) has overall authority and responsibility for the FEGLI\n        program, and in turn, OPM has delegated authority to the individual agencies to accomplish the\n        following: 1) determine the coverage eligibility of participants; 2) collect and timely remit participant\n        withholdings and agency contributions in a timely manner; and 3) maintain individual participant records\n        to ensure proper control of the program. In addition, the Standards for Internal Control in the Federal\n        Government issued by the General Accounting Office (GAO) requires that the documentation that\n        supports entity transactions and significant events should be readily available for examination.\n\n        1.1      We recommend that HRD perform periodic checks of personnel files to ensure that the most\n                 current documentation is maintained to support the employees\xe2\x80\x99 FEGLI election and other benefit\n                 elections.\n\n     2. Cerro Grande Claims Administration\n        The Office of Cerro Grande Fire Claims (OCGFC) Payment Approval System (PAS) serves as a workflow\n        manager and payment approval processing tool for submitted fire claims. PAS allows claims reviewers\n        to review claim information and authorizing officials to approve claim payments. PAS was initially\n        designed as a personal computer (PC) based system. However, as the volume of claims increased, it\n        was migrated to a network-based system. PAS was implemented at OCGFC in November 2000 by a\n        contractor, who continues to work with OCGFC to support the system.\n\n        There are three security access levels for PAS, as follows:\n\n        n        Network level - requires a unique user ID and password to gain access to the PAS application.\n\n        n        PAS Level 1 - allows the use of generic user ID and password to gain access.\n\n        n        PAS Level 2 - requires a unique user ID and password to approve claims.\n\n\n\n\n              Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit                       Page 3\n\x0cAPPENDIX A: FY 2002 COMMENTS AND RECOMMENDATIONS\n\n\n\n         During the course of our testwork, we noted the following areas for improvement related to the PAS\n         information security controls:\n\n         1. At the time of our review in October 2002, 167 users had access to PAS. Of these 167 users, 138 (83\n            percent) no longer needed access. This situation was caused by OCGFC not removing user access when\n            personnel terminated their employment with the OCGFC. As reported in our Independent Auditor\xe2\x80\x99s\n            Report on FEMA\xe2\x80\x99s FY 2002 Financial Statements, FEMA\xe2\x80\x99s overall process for terminating users\xe2\x80\x99\n            system access needs improvement. Terminated employees who retain system access privileges can be\n            a significant risk because they may be able to sabotage or otherwise impair agency operations or assets.\n            Of the 138 users no longer requiring PAS access, 16 had the access privilege of Project Manager, which\n            allowed them to approve claim payments.\n\n         2. Access to PAS Level 1 only requires a generic user ID and password. With this generic user ID and\n            password, users can view and modify claim data, although they cannot approve claims. In addition,\n            PAS Level 1 users can access claims under another reviewer\xe2\x80\x99s user account by selecting the reviewer\xe2\x80\x99s\n            name from a drop down menu. Weak user system access controls such as these increase the risk of\n            unauthorized access and reduces user accountability.\n\n         3. PAS password settings can be improved in several areas.\n\n             a. The system does not lock out users after a certain period of inactivity.\n\n             b. The system does not lock out users after three invalid attempts at PAS Level 2.\n\n             c. System passwords can be four characters in length at PAS Level 2 rather than the eight characters\n                required by FEMA policy.\n\n             d. Users are not required to change their system passwords periodically.\n\n             Although sensitive PAS processing devices are in restricted areas, which helps reduce the risk of unauthorized\n             access, good system password controls still should be maintained.\n\n         4. Standard change control documentation with appropriate management signatures does not exist\n            for all PAS program changes. OCGFC officials said that program changes are approved via verbal\n            communications and writing the change on a \xe2\x80\x9cwhiteboard.\xe2\x80\x9d We tested five system changes made\n            during FY 2002, and we were informed that three of the changes were based on verbal authorizations\n            and two were written on a \xe2\x80\x9cwhiteboard\xe2\x80\x9d but subsequently erased. As a result, we could not verify that\n            management approved the system changes.\n\n         5. PAS separation of duties should be strengthened. The PAS contractor continues to perform PAS\n            programming functions, has access to the PAS test and production environments, has the ability to\n            change data and assign security rights, and has personally submitted four Cerro Grande fire claims.\n            Without appropriate separation of duties, OCGFC faces the risk of unintentional programming errors\n            being entered into production, unauthorized or unpublished changes to PAS code, and entrance of\n            viruses or malicious code into PAS.\n\n\n\n\nPage 4                        Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                     APPENDIX A: FY 2002 COMMENTS AND RECOMMENDATIONS\n\n\n\n      As a result of these issues, PAS is subject to additional risks of unauthorized disclosure, modification, or\n      destruction of data.\n\n      Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources,\n      defines \xe2\x80\x9cinformation technology\xe2\x80\x9d as any equipment or interconnected system or subsystem used by the agency\n      directly or used by a contractor under a contract with the agency. In addition, OMB Circular A-130 requires\n      that Federal agencies implement technical controls in accordance with relevant National Institute of Standards\n      and Technology (NIST) guidance. NIST\xe2\x80\x99s September 1996 Generally Accepted Principles and Practices for\n      Securing Information Technology guides that agencies should: 1) ensure that terminated employees\xe2\x80\x99 system\n      access is removed; 2) ensure that system users are required to uniquely identify themselves to the system\n      before being allowed to perform any functions; 3) ensure systems limit the number of log-on attempts; and 4)\n      implement separation of duties controls such that a single individual cannot subvert a critical process.\n\n      The GAO Federal Information Systems Control Audit Manual (FISCAM) requires that policies and procedures\n      should be in place that prescribe who can authorize a system modification and how these authorizations\n      are to be documented. The use of standardized change request forms helps ensure that requests are clearly\n      communicated and that approvals are documented. The FEMA Information Resources Management Policy and\n      Procedural Directive (FIRMPD) requires: 1) the suspension of a computer session (i.e., computer lockup) after\n      ten minutes of inactivity; 2) a limit of three consecutive invalid log on attempts prior to lock out of computer\n      users; 3) that agency system passwords be at least eight alphanumeric characters in length and should include at\n      least one numeric character (0-9); and 4) that system passwords be changed at least once every 90 days.\n\nWe recommend that the OCGFC:\n\n1.1       Review all OCGFC users who have access to PAS, lock any user accounts that are no longer\n          needed, and ensure that a process is implemented to periodically review PAS users to ensure that\n          only authorized individuals (e.g., current employees) have access to the system.\n\n1.2       Ensure that the PAS Level 1 access controls are modified to create individual user login accounts\n          and that the individual accounts have strong password controls.\n\n1.3       Review PAS password parameters and modify them to:\n\n          a. Lock user computers after some reasonable period of time (e.g., ten minutes) of inactivity;\n\n          b. Lock out users after three invalid system log on attempts;\n\n          c. Ensure the use of eight alphanumeric password characters, with at least one numeric character,\n             as required by the FIRMPD; and\n\n          d. Require that users change their system passwords every 90 days, at a minimum.\n\n4.4       Establish a standard program change request form to document all PAS program changes, require\n          prior documented management approval for all system changes, and perform a comprehensive\n          review of PAS production programs to ensure that only management-approved programs are\n          running in the production region.\n\n\n\n\n      Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit                                        Page 5\n\x0cAPPENDIX A: FY 2002 COMMENTS AND RECOMMENDATIONS\n\n\n\n         4.5     Remove or, at least, closely monitor and control the access of the PAS contract application\n                 programmer from the production region of PAS and ensure a more detailed review of all claims\n                 submitted by personnel with access to PAS, including contractor personnel.\n\n   3. Mission Assignments and Interagency Agreements\n         Mission assignments are interagency agreements that are provided in anticipation of, or in response\n         to, a Presidential Disaster Declaration. FEMA issues mission assignments to other Federal agencies\n         stipulating performance of a specific task and including information such as funding, managerial controls,\n         and guidance. Mission assignments are administered by the Disaster Finance Branch and other types\n         of interagency agreements are administered by the Financial and Acquisition Management Division\n         (FAMD).\n\n         During the course of our testwork, we noted the following improvements that could be made in the\n         mission assignment and interagency agreement processes:\n\n         1. Of a sample of 15 mission assignments entered into during FY 2002, the Lead Accountant either did\n            not perform or did not document the review of the Request for Federal Assistance (RFA), as required,\n            for three RFAs.\n\n         2. Of a sample of 15 mission assignments closed during FY 2002, the FEMA project officer did not\n            approve six RFAs issued to de-obligate the remaining funds.\n\n         3. A periodic reconciliation between ProTrac and the Integrated Financial Management Information\n            System (IFMIS) was not performed to ensure the accurate transfer of programmatic and financial data\n            between the systems. ProTrac is the system used by FAMD to track the interagency agreements open\n            at any point in time.\n\n         4. No written policies and procedures exist for the monitoring and maintenance of interagency\n            agreements.\n\n         5. Of a sample of 15 interagency agreements entered into during FY 2002, one of the files selected could\n            not be located.\n\n         As a result of these issues, an increased risk exists that a mission assignment or interagency agreement\n         will not be correctly processed and/or recorded.\n\n         The Standards for Internal Control in the Federal Government issued by the GAO requires that internal\n         controls be implemented and that such controls be documented, and the Standard Operating Procedure\n         (SOP) entitled Processing Mission Assignments requires that RFAs be reviewed and approved.\n\n         We recommend that FAMD:\n\n         1.1     Remind all appropriate personnel of the policies related to the review and approval of RFAs for both\n                 obligating and de-obligating actions and enforce such review requirements through a monitoring\n                 program.\n\n\n\nPage 6                       Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                       APPENDIX A: FY 2002 COMMENTS AND RECOMMENDATIONS\n\n\n\n        1.2      Perform and document a periodic reconciliation between ProTrac and IFMIS. A supervisor should\n                 review this reconciliation.\n\n        1.3      Develop and implement agency-wide policies and procedures for the monitoring and close-out\n                 of interagency agreements. These policies and procedures should include a standardized filing\n                 system and documentation requirements to ensure the proper monitoring and maintenance of the\n                 interagency agreements.\n\n        1.4      Enhance document retention procedures to ensure that all interagency agreement files can be\n                 located timely.\n\n4.    Grants Management\n        During the course of our testwork, we noted the following improvements that could be made to the grants\n        management process:\n\n        Region II\n\n        1. At the end of each quarter, Region II personnel did not consistently reconcile in a timely manner\n           total nondisaster grant obligations and disbursements between IFMIS and SmartLink.1 Instead, these\n           reconciliations were performed upon receipt of the Financial Status Reports (FSR). However, States\n           or Commonwealths were occasionally delinquent in submitting their quarterly FSRs, leading to a delay\n           in the preparation of the related reconciliations. Although reconciling the FSR, IFMIS, and SmartLink\n           together may seem more efficient, the delay in reconciling IFMIS and SmartLink could lead to errors\n           not being identified and corrected timely.\n\n        2. The second quarter reconciliations for two nondisaster grant programs were not performed correctly.\n           In comparing total disbursements between IFMIS and SmartLink, not all disbursements made through\n           the end of the quarter were considered.\n\n        3. A tracking mechanism for ensuring the receipt of all nondisaster grant FSRs was not used.\n\n        Region IX\n\n        4. Grant files were not properly maintained for Region IX\xe2\x80\x99s nondisaster grants. Several files that we\n           requested could not be located, and overall the files lacked organization. For example, sections were\n           not reserved for closeout documents, correspondence and reports were not in chronological order, and\n           FSRs were missing.\n\n        5. Region IX personnel were unable to provide evidence of any monitoring of cash-on-hand balances\n           maintained by grantees of nondisaster grants.\n\n        6. Region IX personnel did not perform any quarterly reconciliations between IFMIS, SmartLink, and the\n           FSRs for the first, second, or third quarters of FY 2002 for the region\xe2\x80\x99s nondisaster grant programs.\n\n\n1\n SmartLink is a subsystem of the Department of Health and Human Services\xe2\x80\x99 Payment Management System that FEMA uses\nto disburse grants.\n\n\n              Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit                      Page 7\n\x0cAPPENDIX A: FY 2002 COMMENTS AND RECOMMENDATIONS\n\n\n\n         7. Region IX personnel did not track the receipt of FSRs related to nondisaster grants. As a result, certain\n            requested FSRs could not be located.\n\n         8. Region IX personnel did not coordinate with the Northridge Long-Term Recovery Area Office to\n            correct differences noted in FY 2002 reconciliations for the Northridge Disaster (Disaster #1008)\n            public assistance grant program .\n\n         9. Disaster grant reconciliations between the amounts recorded as disbursements per the FSR and the\n            amounts recorded in IFMIS and SmartLink were not completed properly.\n\n         10. Region IX was unable to provide documentation to support the extension or requests for extension for\n             8 of 13 Northridge hazard mitigation grant projects, likely as a result of poor record keeping.\n\n         The following require that accounts be reconciled timely and recorded accurately: the Standards for\n         Internal Control in the Federal Government issued by the GAO; SOP entitled Reconciling Grant\n         Programs issued by FAMD in March 1999; and Statement of Federal Financial Accounting Standards\n         (SFFAS) No. 1, Accounting for Selected Assets and Liabilities, paragraphs 57 and 59. Untimely\n         reconciliations could lead to delays in identifying and correcting errors related to obligations and\n         disbursements.\n\n         We recommend that Region II and Region IX:\n\n         4.1     Implement a method for tracking nondisaster grant FSRs to help ensure that all activity related to\n                 nondisaster grants has been recorded properly.\n\n         We recommend that Region II:\n\n         4.2     Reconcile IFMIS and SmartLink promptly at the end of each quarter in accordance with the SOP,\n                 Reconciling Grant Programs, regardless of when the related FSRs are received, to ensure that\n                 nondisaster grants are properly recorded and de-obligated as funding is disbursed and received.\n\n         4.3     When performing the quarterly reconciliations for all nondisaster grant programs, ensure that the\n                 comparison of total disbursements between IFMIS and SmartLink consider all disbursements made\n                 through the end of the quarter.\n\n         We recommend that Region IX:\n\n         4.4     Develop and implement a method for organizing, filing, and monitoring its grant files to ensure that\n                 the files are complete, organized and available.\n\n         4.5     Develop and implement policies and procedures to monitor cash-on-hand balances of nondisaster\n                 grantees.\n\n         4.6     Reconcile all grant programs on a quarterly basis in accordance with the SOP to ensure that funds\n                 are de-obligated on a timely basis and that errors are resolved and corrected timely.\n\n\n\n\nPage 8                       Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                      APPENDIX A: FY 2002 COMMENTS AND RECOMMENDATIONS\n\n\n\n      4.7      Record the appropriate adjustments based on the FY 2002 reconciliations of Disaster #1008\xe2\x80\x99s\n               Public Assistance grant to ensure that this grant\xe2\x80\x99s activities and balances are properly reflected in\n               IFMIS.\n\n      In addition, Region IX personnel should coordinate with the Northridge Long-Term Recovery Area Office\n      in reconciling cumulative grant expenses and obligations for Disaster #1008 and correcting any identified\n      variances on a quarterly basis.\n\n      4.8      Develop and implement procedures to ensure that disaster grant reconciliations between the\n               amounts recorded as disbursements per the FSR and the amounts recorded in IFMIS and SmartLink\n               are completed properly.\n\n      4.9      Develop and implement policies and procedures to ensure that appropriate documentation is on\n               hand to support extensions of hazard mitigation grants.\n\n5.   Budget Reprogrammings\n      During the course of our testwork, we noted the following improvements that could be made related to\n      budget reprogrammings:\n\n      1. FEMA should review and, if necessary, update its policies and procedures for identifying, communicating,\n         and recording reprogrammings to ensure the consistency and accuracy of their application.\n\n      2. FEMA\xe2\x80\x99s Congressional & Intergovernmental Affairs Division did not consistently follow its\n         internal policies and procedures relating to the retention of correspondence with Congress for\n         reprogrammings.\n\n      The Standards for Internal Control in the Federal Government issued by the GAO states that internal\n      controls include the policies, procedures, techniques, and mechanisms that enforce management\xe2\x80\x99s\n      directives.\n\n      We recommend that:\n\n      5.1      FAMD develop and implement written policies and procedures for the reprogramming process that\n               include, but are not limited to, the following information:\n\n               a. The definition and proper identification of reprogrammings;\n\n               b. The individuals in FAMD who are responsible for performing reprogrammings; and\n\n               c. The procedures to communicate with Congress and OMB to obtain approval prior to executing\n                  reprogrammings when necessary.\n\n      5.2      The Congressional & Intergovernmental Affairs Division enforce its procedures to document and\n               retain all written and oral communication with Congress regarding reprogrammings.\n\n\n\n\n            Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit                         Page 9\n\x0cAPPENDIX A: FY 2002 COMMENTS AND RECOMMENDATIONS\n\n\n\n   6. Information Technology \xe2\x80\x93Region II\n          During the course of our testwork, we noted the following areas where information technology (IT)\n          controls could be improved:\n          1. We tested ten User Access Request (UAR) forms for the National Emergency Management Information\n              System (NEMIS) and noted that one user approved her own UAR. Although this case appeared to\n              be an exception, such a control weakness could lead to unauthorized access to critical data. Region\n              II officials noted that the employee only granted herself print access, not system-processing access.\n              However, under no circumstances should end users approve their own system access rights.\n\n          2. The Region II Continuity of Operations Plan (COOP) had not been updated since September 2000. We\n             noted that several of the points of contact in the COOP were not current, and critical regional personnel\n             did not maintain copies of the COOP off-site. Consequently, critical personnel may not know who to\n             contact or know all their responsibilities in the event of a disaster. Although Region II had a system and\n             data backup process, a current and complete COOP is needed should a significant system or data center\n             outage occur.\n\n          OMB Circular A-130 requires that Federal agencies implement technical security controls in accordance\n          with NIST guidance. NIST, in its September 1996 Generally Accepted Principles and Practices for\n          Securing Information Technology Systems, guides that organizations should: 1) implement adequate\n          separation of duties such that a single individual cannot subvert a critical process; and 2) keep\n          contingency plans current and periodically test and revise contingency plans. A business continuity plan\n          such as the COOP is a key component of an organization\xe2\x80\x99s overall contingency planning strategy.\n\n          We recommend that Region II:\n\n          1.1     Remind all personnel that all system UARs must be approved by a manager who is not the access\n                  requester.\n\n          1.2     Continue with plans to work with the Office of National Preparedness to update the Region II\n                  COOP.\n\n   7. IFMIS\n          Three FEMA contract employees and one FEMA employee share the same highly privileged IFMIS user\n          account that is used to migrate IFMIS software code into production. We inquired with the Information\n          Technology Services Directorate, Office of Cyber Security, and noted that during FY 2002, a waiver for\n          this group account had not been approved by the FEMA Chief Information Security Officer (CISO), as\n          required by the FIRMPD. However, subsequent to the completion of our audit, a waiver was approved by\n          the CISO. Therefore, we have no recommendation at this time.\n\n\n\n\nPage 10                       Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0cAPPENDIX B: SUMMARY STATUS OF COMMENTS REPORTED IN THE FY 2001 MANAGEMENT LETTER\n\n\n\n\n         FY 2001         Location/      Audit Area       Description of Audit        Implementation      Rationale, If\n        Management        Office                               Finding                   Status of     Recommendation\n          Letter                                                                    Recommendations    Considered Open\n      Recommendation                                                                 as of September\n         Number.                                                                         30, 2002\n\n           1.1            OCGFC       Cerro Grande     Lack of sufficient           Implemented and    N/A\n                                      Administration   documentation for claims     closed\n           1.2            OCGFC       Cerro Grande     Duplication of benefit       Implemented and    N/A\n                                      Administration   searches                     closed\n           1.3            OCGFC       Cerro Grande     Lack of detailed             Expanded and       N/A\n                                      Administration   assessments of the EDP       included in the\n                                                       controls supporting ACIS     FY 2002 internal\n                                                       or the contractor\xe2\x80\x99s data     control report\n                                                       center in New Jersey\n\n\n           1.4            OCGFC       Cerro Grande     ACIS user password           Not implemented    Condition cited\n                                      Administration   history feature is not       and open           continues to exist.\n                                                       activated\n\n\n           1.5            OCGFC       Cerro Grande     Claims audited by the        Implemented and    N/A\n                                      Administration   comptroller did not          closed\n                                                       always represent 20\n                                                       percent of claims to be\n                                                       paid\n           1.6            OCGFC       Cerro Grande     Significant time lag         Implemented and    N/A\n                                      Administration   between determination        closed\n                                                       and communication of\n                                                       overpayments by OCGFC\n                                                       to the Disaster Finance\n                                                       Branch (DFB) and to the\n                                                       claimant\n           1.7            OCGFC       Cerro Grande     Two of 28 commitment         Implemented and    N/A\n                                      Administration   forms (FEMA Form 40-1)       closed\n                                                       tested were not approved\n                                                       by both the program head\n                                                       and the comptroller\n           2.1             HRD        Human            Based on a sample, leave     Not implemented    Condition cited\n                                      Resources        audits were either not       and open           continues to exist.\n                                                       conducted at the end of\n                                                       pay period 13 or the leave\n                                                       audit performed was not\n                                                       documented\n\n\n\n\n                 Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit                           Page 11\n\x0cAPPENDIX B: SUMMARY STATUS OF COMMENTS REPORTED IN THE FY 2001 MANAGEMENT LETTER\n\n\n\n\n          2.2   Headquarters/   Human          Electronic Data         Implemented and         N/A\n                    HRD,        Resources      Processing controls for closed\n                Headquarters/                  QuickTime system can be\n                  ITSD and                     improved\n                Headquarters/\n                   FAMD\n          3.1   Regions V and   Grants         Reconciling grant            Not implemented    Insufficient time\n                     VI         Management     programs                     and open           to implement\n                                                                                               recommendation\n                                                                                               during FY 2002.\n\n          3.2   Region V and    Grants         Recording of Project         Implemented and    N/A\n                Headquarters/   Management     Impact expenses              closed\n                   FAMD\n          3.3   Headquarters/   Grants         Nine employees               Expanded and       N/A\n                 ITSD and       Management     identified by information    included in the\n                Headquarters/                  obtained from FEMA as        FY 2002 internal\n                    HRD                        being terminated still had   control report\n                                               active access to NEMIS\n          4.1   Headquarters/ Reimbursable     Inadequate process for       Not implemented    Condition cited\n                   FAMD       Agreements       determining accounts         and open           continues to exist.\n                                               receivable related to\n                                               individual reimbursable\n                                               agreements\n          4.2   Headquarters    Reimbursable   Advance balances exist       Implemented and    N/A\n                 and DFB/       Agreements     for certain agreements       closed\n                  FAMD                         with expired performance\n                                               periods\n          4.3   DFB/FAMD        Reimbursable   Improve control              Partially          N/A\n                                Agreements     procedures over Fund 27      implemented\n                                               reimbursable agreements      and closed; see\n                                                                            related FY 2002\n                                                                            recommendation\n                                                                            #4.1\n\n\n\n\nPage 12                 Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0cAPPENDIX B: SUMMARY STATUS OF COMMENTS REPORTED IN THE FY 2001 MANAGEMENT LETTER\n\n\n\n\n          5.1          DFB/FAMD       Grants         Lack of written policies    Partially          Although written\n                                      Management     and procedures for the      implemented and    procedures now\n                                      - Accounts     periodic determination      open               exist, we did not\n                                      Receivable     of the allowance for                           find evidence that\n                                                     uncollectible accounts                         these procedures\n                                                                                                    were fully\n                                                                                                    implemented\n                                                                                                    at September\n                                                                                                    30, 2002. In\n                                                                                                    addition,\n                                                                                                    the written\n                                                                                                    procedures do not\n                                                                                                    include individual\n                                                                                                    account analysis.\n          6.1          Headquarters   Various        Double-counting of          Expanded and       N/A\n                        and DFB/      - Accounts     certain invoices in the     included in the\n                         FAMD         Payable        accounts payable accrual;   FY 2002 internal\n                                      Accrual        certain expenses omitted    control report\n                                                     from the accrual\n          7.1          Headquarters   Property       Building improvements       Partially          Based on\n                        and DFB/      Management     are depreciated over        implemented and    FAMD\xe2\x80\x99s\n                         FAMD                        20 years without            open               review of all\n                                                     consideration of the                           Property Plant &\n                                                     remaining useful life of                       Equipment as part\n                                                     the related buildings                          of its nationwide\n                                                                                                    equipment\n                                                                                                    inventory, the\n                                                                                                    balance for this\n                                                                                                    asset class was\n                                                                                                    corrected to\n                                                                                                    remove erroneous\n                                                                                                    items. However,\n                                                                                                    no specific\n                                                                                                    changes were\n                                                                                                    made to FAMD\xe2\x80\x99s\n                                                                                                    depreciation\n                                                                                                    methodology for\n                                                                                                    this asset class.\n\n\n\n\n                Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit                        Page 13\n\x0cAPPENDIX B: SUMMARY STATUS OF COMMENTS REPORTED IN THE FY 2001 MANAGEMENT LETTER\n\n\n\n\n          8.1     Headquarters/    Performance   Lack of written policies     Implemented and       N/A\n                       FAMD;       Measures      and procedures               closed\n                   Emmitsburg/\n                  United States\n                   Fire Admin-\n                      istration;\n                  Headquarters/\n                        ITSD;\n                  Headquarters/\n                  National Secu-\n                   rity Division\n          8.2     Headquarters/    Performance   FEMA\xe2\x80\x99s performance           Implemented and       N/A\n                       FAMD        Measures      reporting for FY 2001        closed\n                                                 could be improved\n\n\n\n          9.1     Headquarters/ Financial        Required risk assumed        Implemented and       N/A\n                     FAMD       Reporting        information relating         closed\n                                                 to the National Flood\n                                                 Insurance Program\n  10.1 and 10.2   Headquarters/ IT Controls      Joint Financial              Implemented and       N/A\n                    FAMD,                        Management                   closed\n                  Headquarters/                  Improvement Program\n                     ITSD                        certified version of IFMIS\n                                                 could not be verified\n      11.1        Headquarters/ Laws and         Primary sources of           Not implemented       Condition cited\n                     FAMD       Regulations      information for the          and open;             continues to exist.\n                                                 annual assurance             noncompliance\n                                                 statements of selected       with the Federal\n                                                 FEMA managers were           Manager\xe2\x80\x99s\n                                                 audits conducted by          Financial Integrity\n                                                 external parties and the     Act cited in FY\n                                                 Office of the Inspector      2002 compliance\n                                                 General                      report\n\n\n\n\nPage 14                    Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                                APPENDIX C: ANALYSIS OF MANAGEMENT COMMENTS\n\n\n\nWe received written comments on the draft of our management letter from the following FEMA management\nofficials:\n\n\xe2\x80\xa2   Director, Office of Cerro Grande Fire Claims (OCGFC)\n\n\xe2\x80\xa2   Assistant Director/Chief Information Officer, Information Technology and Services Directorate (ITSD)\n\n\xe2\x80\xa2   Acting Regional Director, Region II\n\n\xe2\x80\xa2   Regional Director, Region IX\n\n\xe2\x80\xa2   Acting Chief Financial Officer, Financial and Acquisition Management Division (FAMD)\n\nThese written comments are presented in Appendices D through H. FEMA officials generally expressed agreement\nwith the findings and recommendations of the draft management letter and indicated that in some cases, corrective\nactions had been taken or were underway. In other instances, management presented other information and we\nmade changes to the report as appropriate or have provided our analysis of those comments as follows:\n\nOCGFC\nRegarding our recommendation 2.1 to lock any Payment Approval System (PAS) user accounts that are no longer\nneeded, OCGFC instead plans to delete these accounts. For future issuances of user accounts, OCGFC plans to\nissue them only on a short-term, interim basis, and to review and validate all user accounts on a quarterly basis to\nensure that unneeded users accounts are removed. OCGFC also plans to remove user accounts for any employees\nimmediately following their departure.\n\nRegarding our recommendations 2.3(a) through 2.3(d) to modify PAS password parameters, OCGFC states that they\ndo not plan to implement recommendation 2.3(a), but do plan on implementing recommendations 2.3(b), 2.3(c),\nand 2.3(d). Recommendation 2.3(a) calls for locking user computers after ten minutes of inactivity. However,\nOCGFC states that implementing this recommendation would require \xe2\x80\x9csome expense and system downtime\xe2\x80\x9d and\nwould, therefore, not be practical to perform. We believe that our recommendation 2.3(a) could be implemented\neven without extensive modifications to the PAS software. For example, the individual personal computer station\ncan be easily modified to include password protected screen savers that would restrict access by any unauthorized\nuser, yet allow the user to perform all the necessary offline activities stated in OCGFC\xe2\x80\x99s response. We plan to,\ntherefore, continue recommending that OCGFC revisit their response and determine some practical implementation\nof our recommendation 2.3(a).\n\nRegarding our recommendation 2.5 to remove, or closely monitor and control, the access of the PAS contract\napplication programmer from the production region of PAS, OCGFC states that they will continue to monitor\nall contractor activity and ensure the required review and approval of all PAS payment activity. OCGFC states,\nfurthermore, that based on their oversight of the contractor\xe2\x80\x99s activities, they do not plan to terminate this contractor.\nOur recommendation did not call for this contractor to be terminated, but did call for close monitoring and control\nof his activities. As long as OCGFC continues to implement this part of our recommendation, we do not disagree\nwith OCGFC\xe2\x80\x99s decision to retain this contractor.\n\n\n\n\n             Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit                            Page 15\n\x0cAPPENDIX C: ANALYSIS OF MANAGEMENT COMMENTS\n\n\n\nFAMD\n\nRegarding our recommendation 5.1 to review and update their policies and procedures guidance related to budget\nreprogrammings, our initial recommendation was that FAMD should prepare such guidance. However, FAMD\nprovided their most current guidance related to such activity and we, therefore, modified our initial recommendation\nto instead suggest that FAMD review and, if necessary, update their current guidance.\n\n\n\n\nPage 16                     Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                       APPENDIX D: MANAGEMENT COMMENTS - FAMD\n\n\n\n\nManagement Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit   Page 17\n\x0cAPPENDIX E: MANAGEMENT COMMENTS - ITSD\n\n\n\n\nPage 18           Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                       APPENDIX F: MANAGEMENT COMMENTS - OGFC\n\n\n\n\nManagement Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit   Page 19\n\x0cAPPENDIX F: MANAGEMENT COMMENTS - OGFC\n\n\n\n\nPage 20          Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                       APPENDIX F: MANAGEMENT COMMENTS - OGFC\n\n\n\n\nManagement Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit   Page 21\n\x0cAPPENDIX F: MANAGEMENT COMMENTS - OGFC\n\n\n\n\nPage 22          Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                 APPENDIX G: MANAGEMENT COMMENTS - REGION II\n\n\n\n\nManagement Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit   Page 23\n\x0cAPPENDIX G: MANAGEMENT COMMENTS - REGION II\n\n\n\n\nPage 24           Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                 APPENDIX G: MANAGEMENT COMMENTS - REGION II\n\n\n\n\nManagement Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit   Page 25\n\x0cAPPENDIX H: MANAGEMENT COMMENTS - REGION IX\n\n\n\n\nPage 26           Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                APPENDIX H: MANAGEMENT COMMENTS - REGION IX\n\n\n\n\nManagement Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit   Page 27\n\x0cAPPENDIX H: MANAGEMENT COMMENTS - REGION IX\n\n\n\n\nPage 28           Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c                                       APPENDIX I; OIG CONTRIBUTORS TO THIS REPORT\n\n\n\n\nSue Schwendiman, Director\nVonna Holbrook, Audit Manager\nCharles Egu, Auditor\n\n\n\n\n   Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit   Page 29\n\x0cPage 30   Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0cAPPENDIX J: REPORT DISTRIBUTION\n\n\n\n\n     Michael D. Brown\n     Under Secretary\n     Emergency Preparedness and Response\n\n     Patrick Rhode\n     Chief of Staff\n     Emergency Preparedness and Response\n\n     Matt Jadacki\n     Acting Chief Financial Officer\n     Financial and Acquisition Management Division\n\n     Barry C. West\n     Chief Information Officer\n     Information Technology and Services Directorate\n\n     Lea Ann McBride\n     Acting Director\n     Office of Public Affairs\n\n     Daniel A. Craig\n     Director\n     Recovery Division\n\n     Douglas G. Fehrer\n     Director\n     Human Resources Division\n\n     Joseph Picciano\n     Acting Regional Director\n     Region II\n\n     Jeff Griffin\n     Regional Director\n     Region IX\n\n\n\n\n                 Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit   Page 31\n\x0cPage 32   Management Letter for FEMA\xe2\x80\x99s Fiscal Year 2002 Financial Statement Audit\n\x0c\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General (OIG) at (202) 254-\n4100, fax your request to (202) 254-4285, or visit the OIG web site at www.dhs.gov.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or\nnoncriminal misconduct relative to department programs or operations, call the OIG Hotline at\n1-800-323-8603; write to Department of Homeland Security, Washington, DC 20528, Attn: Office\nof Inspector General, Investigations Division \xe2\x80\x93 Hotline. The OIG seeks to protect the identity of\neach writer and caller.\n\x0c'